package se.swedenconnect.opensaml.xmlsec;

import com.google.common.base.Predicate;
import com.google.common.base.Predicates;
import com.google.common.collect.Collections2;
import java.security.Key;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import net.shibboleth.utilities.java.support.resolver.CriteriaSet;
import org.opensaml.core.config.ConfigurationService;
import org.opensaml.core.xml.util.XMLObjectSupport;
import org.opensaml.security.SecurityException;
import org.opensaml.security.credential.Credential;
import org.opensaml.security.credential.CredentialSupport;
import org.opensaml.xmlsec.EncryptionConfiguration;
import org.opensaml.xmlsec.EncryptionParameters;
import org.opensaml.xmlsec.KeyTransportAlgorithmPredicate;
import org.opensaml.xmlsec.algorithm.AlgorithmRegistry;
import org.opensaml.xmlsec.criterion.EncryptionConfigurationCriterion;
import org.opensaml.xmlsec.criterion.KeyInfoGenerationProfileCriterion;
import org.opensaml.xmlsec.impl.BasicEncryptionParametersResolver;
import org.opensaml.xmlsec.keyinfo.KeyInfoGenerator;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import se.swedenconnect.opensaml.security.credential.KeyAgreementCredential;
import se.swedenconnect.opensaml.xmlsec.algorithm.ExtendedAlgorithmSupport;
import se.swedenconnect.opensaml.xmlsec.config.ExtendedDefaultSecurityConfigurationBootstrap;
import se.swedenconnect.opensaml.xmlsec.encryption.KeyDerivationMethod;
import se.swedenconnect.opensaml.xmlsec.encryption.support.ConcatKDFParameters;
import se.swedenconnect.opensaml.xmlsec.encryption.support.ECDHSupport;
import se.swedenconnect.opensaml.xmlsec.encryption.support.EcEncryptionConstants;

/* loaded from: input_file:se/swedenconnect/opensaml/xmlsec/ExtendedEncryptionParametersResolver.class */
public class ExtendedEncryptionParametersResolver extends BasicEncryptionParametersResolver {
    private Logger log = LoggerFactory.getLogger(ExtendedEncryptionParametersResolver.class);
    private boolean useKeyAgreementDefaults = false;
    private BasicExtendedEncryptionConfiguration defaultEncryptionConfiguration;

    /* JADX INFO: Access modifiers changed from: protected */
    public void resolveAndPopulateCredentialsAndAlgorithms(@Nonnull EncryptionParameters encryptionParameters, @Nonnull CriteriaSet criteriaSet, @Nonnull Predicate<String> predicate) {
        List effectiveKeyTransportCredentials = getEffectiveKeyTransportCredentials(criteriaSet);
        List effectiveKeyTransportAlgorithms = getEffectiveKeyTransportAlgorithms(criteriaSet, predicate);
        this.log.trace("Resolved effective key transport algorithms: {}", effectiveKeyTransportAlgorithms);
        effectiveKeyTransportCredentials.addAll(0, getEffectivePeerKeyAgreementCredentials(criteriaSet));
        Stream stream = effectiveKeyTransportAlgorithms.stream();
        AlgorithmRegistry algorithmRegistry = getAlgorithmRegistry();
        algorithmRegistry.getClass();
        List<String> list = (List) stream.map(algorithmRegistry::get).filter(ExtendedAlgorithmSupport::isKeyWrappingAlgorithm).map((v0) -> {
            return v0.getURI();
        }).collect(Collectors.toList());
        this.log.trace("Resolved effective key wrapping algorithms: {}", list);
        List effectiveDataEncryptionCredentials = getEffectiveDataEncryptionCredentials(criteriaSet);
        List effectiveDataEncryptionAlgorithms = getEffectiveDataEncryptionAlgorithms(criteriaSet, predicate);
        this.log.trace("Resolved effective data encryption algorithms: {}", effectiveDataEncryptionAlgorithms);
        if (effectiveDataEncryptionCredentials.isEmpty()) {
            encryptionParameters.setDataEncryptionAlgorithm(resolveDataEncryptionAlgorithm(null, effectiveDataEncryptionAlgorithms));
        } else {
            Iterator it = effectiveDataEncryptionCredentials.iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                Credential credential = (Credential) it.next();
                String resolveDataEncryptionAlgorithm = resolveDataEncryptionAlgorithm(credential, effectiveDataEncryptionAlgorithms);
                if (resolveDataEncryptionAlgorithm != null) {
                    encryptionParameters.setDataEncryptionCredential(credential);
                    encryptionParameters.setDataEncryptionAlgorithm(resolveDataEncryptionAlgorithm);
                    break;
                }
                this.log.debug("Unable to resolve data encryption algorithm for credential with key type '{}', considering other credentials", CredentialSupport.extractEncryptionKey(credential).getAlgorithm());
            }
        }
        List<String> effectiveKeyAgreementMethods = getEffectiveKeyAgreementMethods(criteriaSet, predicate);
        if (effectiveKeyAgreementMethods.isEmpty()) {
            this.log.debug("No key agreement methods found in configuration ...");
        }
        List<String> effectiveKeyDerivationAlgorithms = getEffectiveKeyDerivationAlgorithms(criteriaSet, predicate);
        if (effectiveKeyDerivationAlgorithms.isEmpty()) {
            this.log.debug("No key derivation algorithms found in configuration ...");
        }
        ConcatKDFParameters concatKDFParameters = effectiveKeyDerivationAlgorithms.contains(EcEncryptionConstants.ALGO_ID_KEYDERIVATION_CONCAT) ? getConcatKDFParameters(criteriaSet, predicate) : null;
        KeyTransportAlgorithmPredicate resolveKeyTransportAlgorithmPredicate = resolveKeyTransportAlgorithmPredicate(criteriaSet);
        Iterator it2 = effectiveKeyTransportCredentials.iterator();
        while (true) {
            if (!it2.hasNext()) {
                break;
            }
            Credential credential2 = (Credential) it2.next();
            String resolveKeyTransportAlgorithm = resolveKeyTransportAlgorithm(credential2, effectiveKeyTransportAlgorithms, encryptionParameters.getDataEncryptionAlgorithm(), resolveKeyTransportAlgorithmPredicate);
            if (resolveKeyTransportAlgorithm == null) {
                if (ExtendedAlgorithmSupport.peerCredentialSupportsKeyAgreement(credential2) && !effectiveKeyAgreementMethods.isEmpty() && !effectiveKeyDerivationAlgorithms.isEmpty()) {
                    for (String str : list) {
                        try {
                            encryptionParameters.setKeyTransportEncryptionCredential(generateKeyAgreementCredential(credential2, str, effectiveKeyAgreementMethods, effectiveKeyDerivationAlgorithms, concatKDFParameters));
                            encryptionParameters.setKeyTransportEncryptionAlgorithm(str);
                            break;
                        } catch (SecurityException e) {
                            this.log.error("Failed to create key agreement credential using {} key wrapping - {}", new Object[]{str, e.getMessage(), e});
                        }
                    }
                    if (encryptionParameters.getKeyTransportEncryptionAlgorithm() != null) {
                        break;
                    }
                } else {
                    this.log.debug("Unable to resolve key transport algorithm for credential with key type '{}', considering other credentials", CredentialSupport.extractEncryptionKey(credential2).getAlgorithm());
                }
            } else {
                encryptionParameters.setKeyTransportEncryptionCredential(credential2);
                encryptionParameters.setKeyTransportEncryptionAlgorithm(resolveKeyTransportAlgorithm);
                resolveAndPopulateRSAOAEPParams(encryptionParameters, criteriaSet, predicate);
                break;
            }
        }
        processDataEncryptionCredentialAutoGeneration(encryptionParameters);
    }

    protected Credential generateKeyAgreementCredential(@Nonnull Credential credential, @Nonnull String str, @Nonnull List<String> list, @Nonnull List<String> list2, ConcatKDFParameters concatKDFParameters) throws SecurityException {
        if (!list.contains(EcEncryptionConstants.ALGO_ID_KEYAGREEMENT_ECDH_ES)) {
            this.log.info("{} not among configured key agreement methods - it's the only supported key agreement method at the moment", EcEncryptionConstants.ALGO_ID_KEYAGREEMENT_ECDH_ES);
            return null;
        }
        if (!list2.contains(EcEncryptionConstants.ALGO_ID_KEYDERIVATION_CONCAT)) {
            this.log.info("{} not among configured key derivation algorithms - it's the only supported algorithm at the moment", EcEncryptionConstants.ALGO_ID_KEYDERIVATION_CONCAT);
            return null;
        }
        if (concatKDFParameters == null) {
            this.log.debug("No ConcatKDFPars found in configuration, using default parameters ...");
            concatKDFParameters = getDefaultEncryptionConfiguration().getConcatKDFParameters();
        }
        KeyDerivationMethod keyDerivationMethod = (KeyDerivationMethod) XMLObjectSupport.buildXMLObject(KeyDerivationMethod.DEFAULT_ELEMENT_NAME);
        keyDerivationMethod.setAlgorithm(EcEncryptionConstants.ALGO_ID_KEYDERIVATION_CONCAT);
        keyDerivationMethod.getUnknownXMLObjects().add(concatKDFParameters.toXMLObject());
        return ECDHSupport.createKeyAgreementCredential(credential, str, keyDerivationMethod);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Nonnull
    public List<String> getEffectiveKeyAgreementMethods(@Nonnull CriteriaSet criteriaSet, @Nonnull Predicate<String> predicate) {
        ArrayList arrayList = new ArrayList();
        List<ExtendedEncryptionConfiguration> extendedConfiguration = getExtendedConfiguration(criteriaSet);
        if (!extendedConfiguration.isEmpty()) {
            Stream<R> map = extendedConfiguration.stream().map(extendedEncryptionConfiguration -> {
                return Collections2.filter(extendedEncryptionConfiguration.getAgreementMethodAlgorithms(), Predicates.and(getAlgorithmRuntimeSupportedPredicate(), predicate));
            });
            arrayList.getClass();
            map.forEach(arrayList::addAll);
            return arrayList;
        }
        if (this.useKeyAgreementDefaults) {
            arrayList.addAll(getDefaultEncryptionConfiguration().getAgreementMethodAlgorithms());
            this.log.debug("Assuming default key agreement methods: {}", arrayList);
        } else {
            this.log.debug("useDefaultKeyAgreementMethods is not set and criteria contains no ExtendedEncryptionConfiguration - No key agreement methods can be found");
        }
        return arrayList;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Nonnull
    public List<String> getEffectiveKeyDerivationAlgorithms(@Nonnull CriteriaSet criteriaSet, @Nonnull Predicate<String> predicate) {
        ArrayList arrayList = new ArrayList();
        List<ExtendedEncryptionConfiguration> extendedConfiguration = getExtendedConfiguration(criteriaSet);
        if (!extendedConfiguration.isEmpty()) {
            Stream<R> map = extendedConfiguration.stream().map((v0) -> {
                return v0.getKeyDerivationAlgorithms();
            });
            arrayList.getClass();
            map.forEach((v1) -> {
                r1.addAll(v1);
            });
            return arrayList;
        }
        if (this.useKeyAgreementDefaults) {
            arrayList.addAll(getDefaultEncryptionConfiguration().getKeyDerivationAlgorithms());
            this.log.debug("Assuming default key derivation algorithms: {}", arrayList);
        } else {
            this.log.debug("useDefaultKeyAgreementMethods is not set and criteria contains no ExtendedEncryptionConfiguration - No key derivation methods can be found");
        }
        return arrayList;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Nonnull
    public ConcatKDFParameters getConcatKDFParameters(@Nonnull CriteriaSet criteriaSet, @Nonnull Predicate<String> predicate) {
        List<ExtendedEncryptionConfiguration> extendedConfiguration = getExtendedConfiguration(criteriaSet);
        if (extendedConfiguration.isEmpty()) {
            if (this.useKeyAgreementDefaults) {
                return getDefaultEncryptionConfiguration().getConcatKDFParameters();
            }
            return null;
        }
        Iterator<ExtendedEncryptionConfiguration> it = extendedConfiguration.iterator();
        while (it.hasNext()) {
            ConcatKDFParameters concatKDFParameters = it.next().getConcatKDFParameters();
            if (predicate.apply(concatKDFParameters.getDigestMethod())) {
                return concatKDFParameters;
            }
            this.log.debug("ConcatKDFParams found in criteria states digest method '{}' - this is not valid according to white/black list", concatKDFParameters.getDigestMethod());
        }
        return null;
    }

    @Nonnull
    protected List<Credential> getEffectivePeerKeyAgreementCredentials(@Nonnull CriteriaSet criteriaSet) {
        ArrayList arrayList = new ArrayList();
        Stream<R> map = getExtendedConfiguration(criteriaSet).stream().map((v0) -> {
            return v0.getKeyAgreementCredentials();
        });
        arrayList.getClass();
        map.forEach((v1) -> {
            r1.addAll(v1);
        });
        return arrayList;
    }

    private List<ExtendedEncryptionConfiguration> getExtendedConfiguration(@Nonnull CriteriaSet criteriaSet) {
        EncryptionConfigurationCriterion encryptionConfigurationCriterion = (EncryptionConfigurationCriterion) criteriaSet.get(EncryptionConfigurationCriterion.class);
        if (encryptionConfigurationCriterion == null) {
            this.log.debug("No EncryptionConfigurationCriterion available");
            return Collections.emptyList();
        }
        Stream stream = encryptionConfigurationCriterion.getConfigurations().stream();
        Class<ExtendedEncryptionConfiguration> cls = ExtendedEncryptionConfiguration.class;
        ExtendedEncryptionConfiguration.class.getClass();
        Stream filter = stream.filter((v1) -> {
            return r1.isInstance(v1);
        });
        Class<ExtendedEncryptionConfiguration> cls2 = ExtendedEncryptionConfiguration.class;
        ExtendedEncryptionConfiguration.class.getClass();
        return (List) filter.map((v1) -> {
            return r1.cast(v1);
        }).collect(Collectors.toList());
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Nullable
    public KeyInfoGenerator resolveKeyTransportKeyInfoGenerator(@Nonnull CriteriaSet criteriaSet, @Nullable Credential credential) {
        KeyInfoGenerator resolveKeyTransportKeyInfoGenerator = super.resolveKeyTransportKeyInfoGenerator(criteriaSet, credential);
        if (resolveKeyTransportKeyInfoGenerator == null && KeyAgreementCredential.class.isInstance(credential)) {
            resolveKeyTransportKeyInfoGenerator = lookupKeyInfoGenerator(credential, ExtendedDefaultSecurityConfigurationBootstrap.buildBasicKeyInfoGeneratorManager(), criteriaSet.get(KeyInfoGenerationProfileCriterion.class) != null ? ((KeyInfoGenerationProfileCriterion) criteriaSet.get(KeyInfoGenerationProfileCriterion.class)).getName() : null);
        }
        return resolveKeyTransportKeyInfoGenerator;
    }

    public void setUseKeyAgreementDefaults(boolean z) {
        this.useKeyAgreementDefaults = z;
    }

    protected void logResult(EncryptionParameters encryptionParameters) {
        if (this.log.isDebugEnabled()) {
            if (!KeyAgreementCredential.class.isInstance(encryptionParameters.getKeyTransportEncryptionCredential())) {
                super.logResult(encryptionParameters);
                return;
            }
            this.log.debug("Resolved EncryptionParameters:");
            KeyAgreementCredential keyAgreementCredential = (KeyAgreementCredential) KeyAgreementCredential.class.cast(encryptionParameters.getKeyTransportEncryptionCredential());
            this.log.debug("\tKey agreement algorithm: {}", keyAgreementCredential.getAgreementMethodAlgorithm());
            this.log.debug("\tKey derivation method: {}", keyAgreementCredential.getKeyDerivationMethod() != null ? keyAgreementCredential.getKeyDerivationMethod().getAlgorithm() : "null");
            this.log.debug("\tPeer credential with key algorithm: {}", CredentialSupport.extractEncryptionKey(keyAgreementCredential.getPeerCredential()).getAlgorithm());
            this.log.debug("\tKey wrapping algorithm: {}", encryptionParameters.getKeyTransportEncryptionAlgorithm());
            this.log.debug("\tKey transport KeyInfoGenerator: {}", encryptionParameters.getKeyTransportKeyInfoGenerator() != null ? "present" : "null");
            Key extractEncryptionKey = CredentialSupport.extractEncryptionKey(encryptionParameters.getDataEncryptionCredential());
            if (extractEncryptionKey != null) {
                this.log.debug("\tData encryption credential with key algorithm: {}", extractEncryptionKey.getAlgorithm());
            } else {
                this.log.debug("\tData encryption credential: null");
            }
            this.log.debug("\tData encryption algorithm URI: {}", encryptionParameters.getDataEncryptionAlgorithm());
            this.log.debug("\tData encryption KeyInfoGenerator: {}", encryptionParameters.getDataKeyInfoGenerator() != null ? "present" : "null");
        }
    }

    private BasicExtendedEncryptionConfiguration getDefaultEncryptionConfiguration() {
        if (this.defaultEncryptionConfiguration == null) {
            this.defaultEncryptionConfiguration = ExtendedDefaultSecurityConfigurationBootstrap.buildDefaultEncryptionConfiguration((EncryptionConfiguration) ConfigurationService.get(EncryptionConfiguration.class));
        }
        return this.defaultEncryptionConfiguration;
    }
}
